The professionalisation of information security: Perspectives of UK practitioners

Abstract

In response to the increased “cyber” threats to business, the UK and US Governments are taking steps to develop the training and professional identity of information security practitioners. The ambition of the UK Government is to drive the creation of a recognised profession, in order to attract technology graduates and others into the practice of cyber-security. Although much has been written by state bodies and industry commentators alike on this topic, we believe this qualitative study is the first empirical academic work investigating attitudes to that professionalisation amongst information security workers. The results are contextualised using concepts from the literature in the fields of professionalisation and social topics in information security.Despite the movement to establish professional status for their industry, these practitioners showed mixed levels of support for further professionalisation, with a distinctly wary attitude towards full regulation and licensing and an explicit rejection of elitist and exclusive models of profession. Whereas the UK Government looks to establish “professional” status in order to attract entrants, such status in itself was seen to be of little import to those already working in the area. In addition there are significant tensions between managers embracing business- and human-centred security and those more interested in the technical practice of executing policy.While these tensions continue, the results suggest that state attempts artificially to catalyse the professionalisation process for this group would be precipitate. Historically such projects have risen from the front line; ambitions to move the industry in that direction might see more success by identifying and delegating control to a single regulatory body, founded and respected by the people it aims eventually to regulate.